O’Reilly Securing Ajax Applications phần 1 doc

Securing Ajax Applications... Other resources from O’ReillyRelated titles 802.11 Security Computer Security Basics Java™ SecurityLinux Security Cookbook™ Network Security with OpenSSLSe

Securing Ajax Applications

Other resources from O’Reilly

Related titles 802.11 Security

Computer Security Basics

Java™

SecurityLinux Security Cookbook™

Network Security with

OpenSSLSecure Coding: Principles &

PracticesSecuring Windows NT/2000

Servers for the Internet

SSH, The Secure Shell: TheDefinitive GuideWeb Security, Privacy, andCommerce

Building Secure Servers withLinux

Ajax and Web ServicesHead Rush AjaxRESTful Web Services

oreilly.com oreilly.com is more than a complete catalog of O’Reilly books.

You’ll also find links to news, events, articles, weblogs, samplechapters, and code examples

oreillynet.com is the essential portal for developers interested in

open and emerging technologies, including new platforms, gramming languages, and operating systems

pro-Conferences O’Reilly brings diverse innovators together to nurture the ideas

that spark revolutionary industries We specialize in ing the latest tools and systems, translating the innovator’s

document-knowledge into useful skills for those in the trenches Visit

con-ferences.oreilly.com for our upcoming events.

Safari Bookshelf (safari.oreilly.com) is the premier online

refer-ence library for programmers and IT professionals Conductsearches across more than 1,000 books Subscribers can zero in

on answers to time-critical questions in a matter of seconds.Read the books on your Bookshelf from cover to cover or sim-ply flip to the page you need Try it today for free

Download at Boykma.Com

Securing Ajax Applications

Christopher Wells

Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo

Securing Ajax Applications

by Christopher Wells

Copyright © 2007 Christopher Wells All rights reserved.

Printed in the United States of America.

Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions

are also available for most titles (safari.oreilly.com) For more information, contact our

corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.

Editor: Tatiana Apandi

Production Editor: Mary Brady

Production Services: Tolman Creek Design

Cover Designer: Karen Montogmery

Interior Designer: David Futato

Illustrators: Robert Romano and Jessamyn Read

Printing History:

July 2007: First Edition.

Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of

O’Reilly Media, Inc Securing Ajax Applications, the image of a spotted hyena, and related trade dress

are trademarks of O’Reilly Media, Inc.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps.

While every precaution has been taken in the preparation of this book, the publisher and author assume

no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

This book uses RepKover ™ , a durable and flexible lay-flat binding.

ISBN-10: 0-596-52931-7

ISBN-13: 978-0-596-52931-4

[M]

Download at Boykma.Com

To Jennafer, my honey, and Maggie, my bit of

honey:

you two are what make life so sweet.

Table of Contents

Preface ix

1 The Evolving Web 1

2 Web Security 29

3 Securing Web Technologies 56

4 Protecting the Server 99

viii | Table of Contents

6 Securing Web Services 155

7 Building Secure APIs 174

Index 213

Download at Boykma.Com

Deciding to add security to a web application is like deciding whether to wearclothes in the morning Both decisions provide comfort and protection throughoutthe day, and in both cases the decisions are better made beforehand rather than later.Just look around and ask yourself, “How open do I really want to be with my neigh-bors?” Or, “How open do I really want them to be with me?”

It’s all about sharing With web sites sharing data via open APIs, web services, andother new technologies we are experiencing the veritable Woodstock of the digitalage Free love now takes the form of free content and services Make mashups, notweb pages! All right, so let’s get down to business

Believe it, or not, there is security in openness Look at the United States ment, for example The openness of the U.S governmental system is what helps keep

govern-it secure Maybe that can work for us, too! Repeat after me:

We, the programmers, in order to build a more perfect Web; to establish presence and ensure server stability; provide for the common Web; promote general security; for ourselves and our posterity; do ordain and establish this constitution…

Sadly, it is not quite that easy—or is it? Checks and balances make governments work.There are layers of cooperation and defense Each layer provides defense in depth.Web application security is a serious business All web applications are or will be vul-nerable to some form of attack The thing to remember is that most people are good,and security is implemented to thwart those who are not So, the chances of your appli-cation getting attacked are proportional to the number of bad apples out there

Audience

This book is for programmers on the front lines looking for a solid resource to helpthem protect their applications from harm It is also for the developer or architectinterested in sharing or consuming content in a safe way

x | Preface

Assumptions This Book Makes

This book assumes basic developers’ knowledge of the Internet and web tions It also assumes a general awareness of security problems that can arise on theInternet Knowledge of security methodologies and practices is helpful, but notrequired

applica-Contents of This Book

Chapter 1, The Evolving Web

Recounts how we got to where we are today on the Web The chapter explainshow web technologies have evolved, and why we have such a tangled Web

Chapter 2, Web Security

Describes basic security terms, practices, and methodologies It also lays out andidentifies the major vulnerabilities on the Web today

Chapter 3, Securing Web Technologies

Describes all the different types of web communications This chapter discussesbasic security measures that minimize risk and examines the security of severalInternet technologies

Chapter 4, Protecting the Server

Walks through setting up a secure web server It offers practical advice to helpprotect a server from threats on the Internet

Chapter 5, A Weak Foundation

Explores the major protocols associated with web applications, where the seamsare, what the possible attack vectors might be, and some recommended counter-measures to help make applications more secure

Chapter 6, Securing Web Services

Looks at how web services work, the moving parts, how web technologies such

as Ajax can fit in, and what major areas require security attention

Chapter 7, Building Secure APIs

Examines web API design and construction and points out some security pitfallsalong the way

Chapter 8, Mashups

Discusses the evolution of web APIs and how they work This chapter also looks

at some of the major security issues with mashups, such as lack of trust andauthentication It also tries to answer questions, such as what is the worst thatcan happen, and how to balance openness and security

Download at Boykma.Com

Preface | xi

Conventions Used in This Book

The following typographical conventions are used in this book:

Constant width bold

Shows commands or other text that should be typed literally by the user

Constant width italic

Shows text that should be replaced with user-supplied values

This icon signifies a tip, suggestion, or general note.

This icon indicates a warning or caution.

Using Code Examples

This book is here to help you get your job done In general, you may use the code inthis book in your programs and documentation You do not need to contact us forpermission unless you’re reproducing a significant portion of the code For example,writing a program that uses several chunks of code from this book does not requirepermission Selling or distributing a CD-ROM of examples from O’Reilly books doesrequire permission Answering a question by citing this book and quoting examplecode does not require permission Incorporating a significant amount of examplecode from this book into your product’s documentation does require permission

We appreciate, but do not require, attribution An attribution usually includes the

title, author, publisher, and ISBN For example: “Securing Ajax Applications by

Christopher Wells Copyright 2007 Christopher Wells, 978-0-596-52931-4.”

If you feel your use of code examples falls outside fair use or the permission given

above, feel free to contact us at permissions@oreilly.com.

tech-Safari offers a solution that’s better than e-Books It’s a virtual library that lets youeasily search thousands of top tech books, cut and paste code samples, downloadchapters, and find quick answers when you need the most accurate, current informa-

tion Try it for free at http://safari.oreilly.com.

Acknowledgments

I would like to extend my thanks to the great folks at O’Reilly for giving me theopportunity to write this book I would especially like to thank my editor, TatianaApandi, for putting up with me, and to all the technical reviewers who read my bookand provided such instructive feedback Thank you

I would also like to thank Mick Bauer, whose book, Linux Server Security:Tools and

Best Practices for Bastion Hosts (O’Reilly), has served as a great inspiration (if you

run Linux, read it)

Download at Boykma.Com

Preface | xiii

I would additionally like to thank my family—my wife, Jennafer; my daughter,Maggie; my mother and father, Judy and Patrick—and all my kind friends and rela-tives who helped and encouraged me while writing this book

Finally, I owe special thanks to my fellow code trolls: Joe Teff, Mitch Moon,Timothy Long, Jeremy Long, Jim Wolf, Bob Maier, Thom Dunlevy, ShahnawazSabuwala, and the rest of the EAST team Never have I met a more talented andknowledgeable group of people It is truly an honor working with you all

People are flocking to the Web more than ever before, and this growth is beingdriven by applications that employ the ideas of sharing and collaboration Web sitessuch as Google Maps, MySpace, Yahoo!, Digg, and others are introducing users tonew social and interactive features, to seeding communities, and to collecting andreusing all sorts of precious data

The slate has been wiped clean and the stage set for a new breed of web application.Everything old is new again Relationships fuel this new Web And service providers,such as Yahoo!, Google, and Microsoft, are all rushing to expose their wares It’s like

a carnival! Everything is open Everything is free—at least for now But whom canyou trust?

Though mesmerized by the possibilities, as developers, we must remain vigilant—forthe sakes of our users For us, it is critical to recognize that the fundamentals of webprogramming have not changed What has changed is this notion of “opening”resources and data so that others might use that data in new and creative ways Fur-thermore, with all this sharing going on we can’t let ourselves forget that our applica-tions must still defend themselves

As technology moves forward, and we find our applications becoming more tive—sharing data between themselves and other sites—it raises a host of new secu-rity concerns Our applications might consist of services provided by multipleproviders (sites) each hosting its own piece of the application

interac-The surface area of these applications grows too interac-There are more points to watch andguard against—expanding both with technologies such as AJAX on the client andREST or Web Services on the server

Luckily, we are not left completely empty-handed Web security is not new Thereare some effective techniques and best practices that we can apply to these newapplications

Today, web programming languages make it easy to build applications without ing to worry about the underlying plumbing The details of connection and protocol

hav-2 | Chapter 1: The Evolving Web

have been abstracted away In doing so developers have grown complacent with theirenvironments and in some cases are even more vulnerable to attack

Before we continue moving forward, we should look at how we got to where we aretoday

The Rise of the Web

In 1989, at a Conseil Européen pour la Recherche Nucléaire (CERN) research facility

in Switzerland, a researcher by the name of Tim Berners-Lee and his team cooked up

a program and protocol to facilitate the sharing and communication of their particlephysics research The idea of this new program was to be able to “link” differenttypes of research documents together

What Berners-Lee and the others created was the start of a new protocol, Hypertext

Transfer Protocol (HTTP), and a new markup language, Hypertext Markup guage (HTML) Together they make up the World Wide Web (WWW).

Lan-The abstract of the original request for comment (RFC 1945) reads:

The Hypertext Transfer Protocol (HTTP) is an application-level protocol with the ness and speed necessary for distributed, collaborative, hypermedia information sys- tems It is a generic, stateless, object-oriented protocol which can be used for many tasks, such as name servers and distributed object management systems, through exten- sion of its request methods (commands) A feature of HTTP is the typing of data repre- sentation, allowing systems to be built independently of the data being transferred.

light-HTTP has been in use by the World-Wide Web global information initiative since 1990 This specification reflects common usage of the protocol referred to as “HTTP/1.0”.

The official RFC outlines everything there is to say about HTTP and is located at

http://tools.ietf.org/html/rfc2616 If you have any trouble sleeping at night, reading

this might help you out

Berners-Lee had set out to create a way to collate his research documents—to keepthings just one click away It was really just about information and data organiza-tion; little did he know he was creating the foundation for today’s commerce.Today, we don’t even see HTTP unless we want to deliberately It has, for the mostpart, been abstracted away from us Yet, it is at the very heart of our applications

Hypertext Transfer Protocol (HTTP)

There’s this guy—let’s call him Jim He’s an old-timer who can spin yarns about thefirst time he ever sat down at a PDP-11 He still has his first programs saved on papertape and punch cards He’s one of the first developers who helped to create the Inter-net that we have come to know and love

Download at Boykma.Com

The Rise of the Web | 3

To Jim, protocol-level communication using HTTP is like breathing In fact, hewould prefer to not use a browser at all, but rather just drop into a terminal windowand use good ol’ telnet

Date: Fri, 08, Sep 2006 06:03:23 GMT

Server: Apache/2.2.1 BSafe-SSL/2.3 (Unix)